How iOS 8 and OS X 10.10 need to fix iCloud Keychain

iCloud Keychain lets you generate, store, and manage strong, unique passwords between your iPhone, iPad, and/or Mac. In theory, that's an amazing win for both convenience and security. Unfortunately, it's only in theory. Sadly there are two big problems with iCloud Keychain, one conceptual, one architectural, that make it so that I — and anyone concerned with security — can't use it. Luckily, it's something that can and hopefully will be fixed with iOS 8 and OS X 10.10.

Re-authentication

The first problem with iCloud Keychain is that it doesn't demand re-authentication before it works. That means, as long as your iPhone, iPad, or Mac is unlocked, anyone using it has access to your stored passwords and credit cards. That also means, if iCloud Keychain is enabled, I can't hand my iPhone, iPad, or Mac over to a friend, colleague, acquaintance, family member, or anyone else, at all, ever, without having to worry about my passwords and credit cards being accessed.

If someone needs to make an emergency call, or look something up on the web, or try out one of my games, or do any of a hundred other things other people typically do when you hand them your device, there's a gaping security hole in the form of iCloud Keychain.

That's why third party password managers require a "master password".

The idea is, even if you unlock and hand your iPhone, iPad, or Mac over to a third party, they'd be required to re-authenticate with your passcode, password, or Touch ID before iCloud Keychain could auto-fill a password or credit card.

Yes, the idea behind iCloud Keychain is to be so convenient that people using weak, repetitive passwords find it enticingly easy to stop doing that.

Apple's well aware of that because it's exactly how the App Store and iTunes Store work right now. After a certain, fairly short, length of time, you're required to re-authenticate in order to buy something. It's less convenient but way more secure. And, thanks to the App Store and iTunes Store, we're used to things working that way already.

With Touch ID, which should make it's way into the next generation iPad and mid-tier iPhones this fall, the loss of convenience would be minimal as well. Touch the sensor and the password or credit card fills. Simple as that.

Either way, iOS and OS X shouldn't treat web passwords and credit cards with any less protection than they treat iTunes accounts.

Better cryptography

Apple uses amazingly good, privacy and security-centric cryptography in almost every aspect of the iOS architecture. The big, glaring exception appears to be iCloud Keychain. Here's Security Now!'s Steve Gibson on the problem:

Here, in iCloud, for no explicable reason, they have not used the good curve. They have used the P-256 curve which nobody now trusts. We know that it came from a guy named Jerry Solinas at the NSA. I mean, we've gone back, the crypto community has really looked at this carefully. And it was generated by the NSA using an SHA-1 hash where we've been given the seed of a series of hashes, and downstream of the series is the result on which this elliptic curve is based. And I don't remember now whether it was Bernstein or Schneier or Matt. But all three of them have said no. And one of them suggested that, if the NSA knew how to find weaknesses in ECC, and there were enough of them, then they could hide the fact that they had found a weakness by using an SHA-1 hash chain and simply running it forward until it gave them a pseudorandom number that resulted in a weak key. That allows them to say, look, we didn't choose this weak key. The SHA-1 hash chain chose it for us.

So obviously it's random. Except they could have seeded - all they had to do was try a lot of them until they found one that was weak, and then present that one. And that was exactly what they did. They said, we started with this seed, we hashed it like crazy, and look what came out the other end. So trust us. And it turns out that there are, aside from suspicion, there are many characteristics of this specific curve that make it weak. And I've got links here in the show notes if anyone wants to pursue it. There's safecurves.cr.yp.to, which is Bernstein's site. There is another site that talks about it. Schneier has written that he absolutely would not trust this curve.

I'm not smart enough to understand the details to the level Gibson does, but none of that sounds good to me. Here's how our security editor, Nick Arnott puts it:

The vast majority of us do not fully, or even partially, grasp the mathematics behind cryptographically sound standards. Fortunately there's a community of people far smarter than us who do understand these things. When that community finds a standard to be weak, anybody interested in keeping things secure should move away from that standard. Apple appears to be using a curve that the security community has determined is weak and thusly, nobody, including Apple, should be using it if they want their security to be trusted and taken seriously.

If Apple can use rock-solid crypto throughout the rest of the system, it'd be great if they could use it for something as important as iCloud Keychain in iOS 8 and OS X 10.10 as well.

Because, again, there are few things as critical to keep safe as web passwords and credit card information.

iCloud Keychain: The bottom line

I should make clear that I don't think Apple has intentionally made iCloud Keychain weak, flawed, or otherwise compromised. Secure sync is incredibly hard. Balancing security and convenience is incredibly hard. Getting betas and releases out given Apple's deadlines is incredibly hard. Inevitably features get pushed back and things go missing.

But iCloud Keychain is incredibly important and these two things — re-authentication and better cryptography — simply need to be in place before I can use it and before I can recommend anyone else use it.